-   Linux - Networking (
-   -   iptables connection limits (

aaronanderson 07-08-2012 03:07 AM

iptables connection limits
I recently upgraded from Ubuntu natty to precise which upgraded my kernel from 2.6.32 to 3.2.0. Since the upgrade yesterday I've noticed that certain websites don't load correctly. It appears to be sites that have a large number of images (500+) don't fully load. Looking at the network graph in chrome (F12) it shows that they timeout. I'm wondering if there is some kind of maximum concurrent connections or something.

If I use a socks proxy through ssh (ssh -D) everything works fine so it's definitely something with the iptables masquerade in 3.2.0.

My firewall script is MonMotha's firewall script (

I realize that this is somewhat vague but any thoughts are greatly appreciated.


eSelix 07-08-2012 04:47 AM

I don't known how others but I can't download this MonMotha - site is down. Maybe it is too old. You can paste here output of "iptables -S".

unSpawn 07-08-2012 07:52 AM

...yeah I'd expect at least a (Safe For LQ) web site address to test ourselves, output of 'cat /proc/net/ip_tables_names|while read TABLE; do iptables -t $TABLE --line-numbers -nvxL; done' as well as 'sysctl -a | egrep "ipv4|conntrack";'. And since it's not a Linux Security issue I'm moving this thread to /Networking.

aaronanderson 07-09-2012 02:59 PM

Sorry that the website doesn't work. I've had this script for years.

My iptables output is here:
My firewall script is here:

I've changed my gateway device from my linux box to a dlink router. No problems so it's definitely something with iptables.
I'm going to try and compile the latest kernel (3.4.4) and see if that fixes the problem.

If there are any other suggestions, that would be greatly appreciated.

eSelix 07-10-2012 06:06 AM

Well, from what I see initial packets are going to INETOUT where are accepted and answers go through INETIN, where already established connection are accepted. It seems ok. There are some ealier rules, where some packets with specified destination ports are limited in TCPACCEPT chain, maybe web browser used them. To check if this is issue, move rule "-A INETIN -m state --state ESTABLISHED -j ACCEPT" on the beginning of INETIN chain and check if something changed.

Check logs, maybe some messages are there. Also do what unSpawn wrote.

All times are GMT -5. The time now is 02:54 PM.